When Impersonating Declaratively, Only Impersonate On the Operations That Require It

Only impersonate specific operations that require it. If you impersonate on operations that do not require the additional privileges you are increasing your attack surface as well as the potential impact of an exploit.

Impersonation is a costly operation and is usually used for higher privileged original callers. Use impersonation selectively only on the operations which needs it reduces the potential attack surface. You can impersonate declaratively by applying the
OperationBehaviorAttribute attribute on any operation that requires client impersonation, as shown in the following code example: